Unpatched Zimbra Platforms Are Probably Compromised, CISA Says

Security teams running unpatched, Internet-connected Zimbra Collaboration Suites (ZCS) should just go ahead and assume compromise, and take immediate detection and response action.

That's according to a new alert issued by the Cybersecurity and Infrastructure Security Agency, which flagged active Zimbra exploits for CVE-2022-24682, CVE-2022-27924, CVE-2022-27925, which are being chained with CVE-2022-37042, and CVE-2022-30333. The attacks lead to remote code execution and access to the Zimbra platform.

The result could be quite risky when it comes to shielding sensitive information and preventing email-based follow-on threats: ZCS is a suite of business communications services that includes an email server and a Web client for accessing messages via the cloud.

CISA, along with the Multi-State Information Sharing and Analysis Center (MS-ISAC), provided detection details and indicators of compromise (IoCs) to help security teams.

"Cyber-threat actors may be targeting unpatched ZCS instances in both government and private sector networks," according to a Zimbra advisory.

CISA and the MS-ISAC strongly urged users and administrators to apply the guidance in the Recommendations section of this Cybersecurity Advisory to help secure their organization's systems against malicious cyberactivity.